dockerfile.best-practice.missing-apk-no-cache.missing-apk-no-cache

semgrep

Author

unknown

Download Count*

License

This apk command is missing '--no-cache'. This forces apk to use a package index instead of a local package cache, removing the need for '--update' and the deletion of '/var/cache/apk/*'. Add '--no-cache' to your apk command.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: missing-apk-no-cache
    patterns:
      - pattern: |
          RUN apk $COMMAND ...
      - pattern-not-inside: |
          RUN apk ... --no-cache ...
    languages:
      - dockerfile
    message: This apk command is missing '--no-cache'. This forces apk to use a
      package index instead of a local package cache, removing the need for
      '--update' and the deletion of '/var/cache/apk/*'. Add '--no-cache' to
      your apk command.
    severity: INFO
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3019
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3019
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-apk-no-cache.dockerfile

FROM alpine:3.7

# ruleid: missing-apk-no-cache
RUN apk update \
    && apk add foo=1.0 \
    && rm -rf /var/cache/apk/*

# ruleid: missing-apk-no-cache
RUN apk add --update foo=1.0 \
    && rm -rf /var/cache/apk/*

# ok: missing-apk-no-cache
RUN apk add --no-cache foo=1.0

# ok: missing-apk-no-cache
RUN apk add --no-cache --update foo=1.0

# ok: missing-apk-no-cache
RUN apk add --update --no-cache foo=1.0

# ruleid: missing-apk-no-cache
RUN apk add --virtual .build-deps \
gcc \
freetype-dev \
musl-dev

# ok: missing-apk-no-cache
RUN apk add --no-cache --virtual .build-deps \
gcc \
freetype-dev \
musl-dev


# ok: missing-apk-no-cache
RUN apk --no-cache add

Short Link: https://sg.run/Njv7